Tuesday, December 24, 2013

Microsoft Windows Security Principals

In windows actions are taken by subjects on objects. The subjects are the
ones that need the access and the objects are accessed in different ways (read,
write etc.).

There are three types of security principals.
1 - The 'User' and by extension its more complicated extension, the 'group'.
2 - The 'computer'
3 - The 'process', Service to be precise.
Every Security Principal is represented by an SID in a particular scope,
where the SID is unique within that particular scope. The above mentioned
Security Principals are explained below:1- The User
The user is the most basic type of security principal, the most basic entity
which can be assigned permissions.
The default user in Windows machine is the Administrator and the Guest. The
users in a stand alone machine are managed by the SAM : The local SAM contains
all the users on that system. By default in a Windows domain there are
the Domain Administrator the guest account is there but in Windows 2003 and
later it is disabled by default.
The other type of user is the domain user which is created on the
domain, it is created and maintained by the Active Directory instead of the
local SAM. Once a computer becomes and Active Directory Server the SAM does not
cease to exist or cease to function, in fact it remains and maintains the local
system users which may be used for recovery operations.
The concept of users is pretty straight forward, so in this article we
will be talking about Groups in MS Windows 2008 and later.Groups (Security Groups)
According to Microsoft itself a 'user group' is a collection of user
accounts that all have the same security rights. User groups are also sometimes
referred to as security groups.
There are 6 different types of Security Groups
a- The Local Group
b - Global Group
c - Universal Group
These are explained below according to the permissions they can be assigned
and the members they can contains.a- Local Group
Permissions Scope: They can be assigned permissions to resources in
the same domain they are defined in
Possible Members: Users, Universal and Global groups from any trusting
domain or other domain local groups. b- Global Group
Permissions Scope: resources in any domain in the forest the domain is part
of or any trusting forest.
Possible Members: Users and Global groups from the domain the group was defined
in c- Universal Group
Permissions Scope: Resources in any trusting domain.
Possible Members: Users and Universal and Global Groups from any domain.
A fresh Active Directory installation will contain default groups of all
above three types three types. As we mentioned above there are 6 different
types of security groups. The remaining three types are user defined versions
of the above three i.e.
d - User Defined Local Groups
e - User Defined Global Groups
f - User Defined Universal Groups
In a freshly installed default installation of Active Directory there are no
less than 63 groups. A large number of these groups abstract concepts called
Special Identities

Special Identities
These groups represent dynamic aspects of a security principal, for example
the following dynamic groups (special identities)
INTERACTIVE: Contains users that have logged on to a
terminal or via Terminal Services
NETWORK: Contains users that have logged in from over the
network. According to the purposes of the INTERACTIVE and NETWORK group a user
can be a member of only one group and not the other.

AUTHENTICATED USERS:
This group
contains all users that have been authenticated and given remote or terminal
sessions on the machine. This is the same as saying all users.
EVERYONE:
As the name implies, this group includes all users.
The difference between the Authenticated Users group and the Everyone
group is that the Everyone user can contain a user which does not need
authentication, viz the Guest user. Do note that since Windows 2003
onwards the Guest user has been disabled, so for all practical
purposes the groups Authenticated User and Everyonehave the
same component users.2- Computers
The second security principal type is 'Computers'. Computers are, for all
practical purposes, just another user in Active Directory.3-Services
The last type of security principal is a service. Since Microsoft Windows
2008 services are security principals to the extent that they have their own
security identifiers. The security identifier of the service can be used to
assign permissions on resources.

About the Author: Saquib Farooq Malik, is a senior
Information Security Consultant at ITButler e-Services(www.itbutler.com.au) .
Saquib Specializes in Vulnerability Assessment and Penetration Testing,
implementations of ISO 27001 in different corporate environments in the Middle
East.

He is a CISSP, an ITILv3 Foundation certified professional,
ISO 27001 Lead Auditor, Tenable Certified Nessus Auditor and a Lumension
Certified Engineer.